Procedures for Making a Complaint
A covered entity must have a procedure for filing a HIPAA privacy complaint by individuals regarding its privacy practices or for an alleged violation of the Privacy Rule. Most importantly the Notice of Privacy Practices must contain contact information for the covered entity’s privacy officer and information on how to submit a complaint to the Office for Civil Rights. In addition, an organization must file complaints within 180 days of when you knew the violation occurred.
The privacy officer or designee investigates all complaints involving privacy of protected health information. The organization should maintain records on the complaints and their resolution. The Privacy Officer will determine whether or not there has been a violation or a breach of unsecured PHI. In a filing to the OCR, there should be information about the complainant. There should be details of the complaint and any additional information that might help OCR when reviewing the complaint.
On behalf of the covered entity, the Privacy Officer will respond to inquiries initiated by the Office for Civll Rights as it investigates complaints.
No Retaliation for Filing a Privacy Complaint
Above all an organization must not retaliate for filing a HIPAA privacy complaint under the HIPAA rules. Most importantly, an organization must encourage employees to file a complaint if they feel a violation took place. Finally, an organization must resolve and prevent them from happening again which helps protect the organization. On the other hand, an employee may complain directly to the OCR if retaliatory action occurred.
In conclusion there must be a good process for filing a privacy complaint and there should be not retaliation for doing so.
This is your HIPAA ABCs brought to you by HIPAA Associates. Contact us for more information on this important topic.